SSL Certificate Creation Using Keytool Commands

keytool is available in /jvm/bin

For Server1

Step 1: Creating the “public-private” key pair.
keytool -genkey -alias Server1 -validity 365 -keystore D:\Certificates\Server1_keystore.jks

Step 2: Validate the “public-private” key pair.
keytool -list -v -keystore D:\Certificates\Server1_keystore.jks

Step 3: Extract the “public key” from the “public-private” key pair
keytool -export -alias Server1 -keystore D:\Certificates\Server1_keystore.jks -rfc -file D:\Certificates\Server1_publickey.cer

Step 4: Create the Truststore using the public key extracted.
keytool -import -alias Server1 -file D:\Certificates\Server1_publickey.cer -keystore D:\Certificates\Server1_trustore.jks
keytool -list -v -keystore D:\Certificates\Server1_trustore.jks

For Server2

Step 5: Creating the “public-private” key pair.
keytool -genkey -alias Server2 -validity 365 -keystore D:\Certificates\Server2_keystore.jks

Step 6: Validate the “public-private” key pair.
keytool -list -v -keystore D:\Certificates\Server2_keystore.jks

Step 7: Extract the “public key” from the “public-private” key pair
keytool -export -alias Server2 -keystore D:\Certificates\Server2_keystore.jks -rfc -file D:\Certificates\Server2_publickey.cer

Step 8: Create the Truststore using the public key extracted.
keytool -import -alias Server2 -file D:\Certificates\Server2_publickey.cer -keystore D:\Certificates\Server2_trustore.jks
keytool -list -v -keystore D:\Certificates\Server2_trustore.jks

Combine

Step 9: Add both public cert to the truststore .
keytool -import -alias Server1 -file D:\Certificates\Server1_publickey.cer -keystore D:\Certificates\Server2_trustore.jks
keytool -import -alias Server2 -file D:\Certificates\Server2_publickey.cer -keystore D:\Certificates\Server1_trustore.jks
keytool -list -v -keystore D:\Certificates\Server2_trustore.jks

I have generated certificate,public key and trust store for server1 and server2 as per the commands mention above
BUT
While I am trying to combine both public certs to the trust store as per the commands mention in Step 9

Combine

Step 9: Add both public cert to the truststore .
keytool -import -alias Server1 -file D:\Certificates\Server1_publickey.cer -keystore D:\Certificates\Server2_trustore.jks ( This command is working good BUT 2nd commands failing with below exception)
keytool -import -alias Server2 -file D:\Certificates\Server2_publickey.cer -keystore D:\Certificates\Server1_trustore.jks
keytool -list -v -keystore D:\Certificates\Server2_trustore.jks

Exception while combining both public certs to trust store? Pls explain why it’s failing or how to combine both public certs to trust store ?

D:\webMethods\jvm\jvm\jre\bin>keytool -import -alias Server2 -file D:\Certificates\Server2_publickey.cer -keystore D:\Certificates\Server1_trustore.jks
Enter keystore password:
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect

Hi Rajiv,

make sure to use the correct password for the keystores.

The password is the one choosen for the JKS-File.

Regards,
Holger

Hi Holger,

WM Env : 9.7
This is just a POC so,I kept password similar from step 1 to step 9 and even had tried on different webMethods installation directory where keytool utility is present.

commands in step 1-8 is working fine but while executing step 9 command

Is it full/single commands or combination of 2 commands which we have to execute individually ?

keytool -import -alias Server1 -file D:\Certificates\Server1_publickey.cer -keystore D:\Certificates\Server2_trustore.jks
keytool -import -alias Server2 -file D:\Certificates\Server2_publickey.cer -keystore D:\Certificates\Server1_trustore.jks
keytool -list -v -keystore D:\Certificates\Server2_trustore.jks


D:\webMethods\jvm\jvm\jre\bin>keytool -import -alias Server1 -file D:\Certificates\Server1_publickey.cer -keystore D:\Certificates\Server2_trustore.jks
Enter keystore password: --> Working good but when i enter next line/commands shown below it’s failing with exception

D:\webMethods\jvm\jvm\jre\bin>keytool -import -alias Server2 -file D:\Certificates\Server2_publickey.cer -keystore D:\Certificates\Server1_trustore.jks
Enter keystore password:
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect

I believe step 9 :Add both public cert to the trust store was mention in initial thread was incorrect

Correct commands Is :-

keytool -import -alias Server1 -file D:\Certificates\Server1_publickey.cer -keystore D:\Certificates\Server2_trustore.jks -import -alias Server2 -file D:\Certificates\Server2_publickey.cer -keystore D:\Certificates\Server1_trustore.jks -list -v -keystore D:\Certificates\Server2_trustore.jks

Can some one verify and confirm same? As above CMD was executed successfully

Hi Rajiv,

what does “keytool -list -v -keystore D:\Certificates\Server1_trustore.jks” return instead “keytool -list -v -keystore D:\Certificates\Server2_trustore.jks”?

What did “keytool -list -v -keystore D:\Certificates\Server2_trustore.jks” in the previous try?

I cannot see any thing wrong with the original commands, so I guess there must have been a typo in at least one of the passwords used in the first 8 steps which causes the error message in step 9.

Did you try to re-create the truststores and try step 9 again?.

Must likely you will only need to create one single truststore for both certificates:
keytool -import -trustcacerts -alias Server1 -file D:\Certificates\Server1_publickey.cer -keystore D:\Certificates\Servers_trustore.jks
keytool -import -trustcacerts -alias Server2 -file D:\Certificates\Server2_publickey.cer -keystore D:\Certificates\Servers_trustore.jks
keytool -list -v -keystore D:\Certificates\Servers_trustore.jks

Regards,
Holger

Hi Holger,

Yeah, I have tried twice but get struck while combining certs into trust store at step 9

While I am trying to combine both certs into single trust store file by using step 9 command but no luck :frowning: Can you tell me what was the wrong in below command ?

D:\webMethods\jvm\jvm\bin>keytool -import -alias Server1 -file D:\Certificates\Server1_publickey.cer -keystore D:\Certificates\Server2_trustore.jks keytool -import -alias Server2 -file D:\Certificates\Server2_publickey.cer -keystore D:\Certificates\Server1_trustore.jks keytool -list -v -keystore D:\Certificates\Server2_trustore.jks
Illegal option: keytool
keytool -importcert [OPTION]…

Imports a certificate or a certificate chain

Options:

-noprompt do not prompt
-trustcacerts trust certificates from cacerts
-protected password through protected mechanism
-alias alias name of the entry to process
-file input file name
-keypass key password
-keystore keystore name
-storepass keystore password
-storetype keystore type
-providername provider name
-providerclass provider class name
-providerarg provider argument
-providerpath provider classpath
-v verbose output

Use “keytool -help” for all available commands

D:\webMethods\jvm\jvm\bin>

Hi Rajiv,

the command is just to long.

I dont think that keytool is able to handle multliple occurences of the options in one call.

Did you try the commands from my last post?
What was the outcome?

Regards,
Holger

Pls find the outcome

D:\webMethods\jvm\jvm\bin>keytool -import -trustcacerts -alias Server1 -file D:\Certificates\Server1_publickey.cer -keystore D:\Certificates\Servers_trustore.jks keytool -import -trustcacerts -alias Server2 -file D:\Certificates\Server2_publickey.cer -keystore D:\Certificates\Servers_trustore.jks keytool -list -v -keystore D:\Certificates\Servers_trustore.jks
Illegal option: keytool
keytool -importcert [OPTION]…

Imports a certificate or a certificate chain

Options:

-noprompt do not prompt
-trustcacerts trust certificates from cacerts
-protected password through protected mechanism
-alias alias name of the entry to process
-file input file name
-keypass key password
-keystore keystore name
-storepass keystore password
-storetype keystore type
-providername provider name
-providerclass provider class name
-providerarg provider argument
-providerpath provider classpath
-v verbose output

Use “keytool -help” for all available commands

D:\webMethods\jvm\jvm\bin>

Hi Rajiv,

now I am getting the error:

You have put all three commands into one line.
Please try these one by one using the password of your choice.

keytool -import -trustcacerts -alias Server1 -file D:\Certificates\Server1_publickey.cer -keystore D:\Certificates\Servers_trustore.jks
keytool -import -trustcacerts -alias Server2 -file D:\Certificates\Server2_publickey.cer -keystore D:\Certificates\Servers_trustore.jks
keytool -list -v -keystore D:\Certificates\Servers_trustore.jks

Regards,
Holger

Thanks Holger :slight_smile:

Perfect.

Rajiv – I don’t have environment to help you on this certificate part. Anyways Holger hands are always helpful.

Thanks,